Where Is the Regulation of Transborder Data Flows Headed?

Anyone working in privacy and data protection law is familiar with the restrictions on transferring data outside the European Union contained in the EU Data Protection Directive. But did you know that non-EU countries as diverse as Israel, Mexico, Russia and South Korea have similar restrictions? And that since the 1970s, over 70 countries all over the world have enacted data protection and privacy laws regulating transborder data flows?

The regulation of data flows across national and regional borders under the data privacy laws of dozens of countries and international and regional regulatory instruments is the topic of my new book entitled Transborder Data Flows and Data Privacy Law, which will be published in May by Oxford University Press. European Data Protection Supervisor Peter Hustinx was kind enough to write a foreword to the book.

The subject is too complex to discuss in detail here, but I can share the gist of some of my conclusions:

Regulation of transborder data flows has spread far beyond its original roots in Europe and now includes many countries in Africa, Asia and Latin America as well.

The adequacy approach typified by the EU Directive has been and is likely to remain the most influential model, though other ones—such as the accountability approach—have emerged in recent years.

Technological developments—particularly the growth of the Internet—and globalization raise important questions about transborder data flow regulation. For example, does it make sense anymore to distinguish between “transborder data flows” and any other kind of online data processing, given that data flows on the Internet without regard to national borders?

The types of data transferred across borders have also changed over time. There is now much more data containing information about identifiable persons (i.e., personal data) being transferred than ever before as well as more sharing of personal data between governments—often for law enforcement purposes.

Providing protection to personal data as they are accessed and transferred around the world has attained considerable economic importance and private-sector instruments—such as contractual clauses and internal corporate rules and policies—are increasingly used for this purpose.

There is a need for greater transparency about how data are transferred internationally and for greater interoperability between regulatory approaches.

Regulation tends to focus too much on applying local standards to personal data transferred outside national borders, rather than on the global implications of restricting transborder data flows.

A major theme of the book is the tension between regulation of transborder data flows and other legal requirements. As such regulation has spread, it has increasingly led to conflicts with legal obligations in other areas. Moreover, other important interests—such as freedom of expression and ensuring the free flow of data—are sometimes not sufficiently taken into account.

There is also a disproportionate relationship between the increasing flood of personal data now being transferred online and the limited possibility to enforce transborder data flow regulation by traditional legal means.

Where is the regulation of transborder data flows headed?

The number of countries enacting it will continue to grow and agreement on an international treaty dealing with the subject is highly unlikely, given the different approaches taken in different countries.

However, countries could take certain steps to produce an improved regulatory framework. For instance, if they are going to enact such regulation, then governments should themselves comply with it, which is often not the case. Transborder data flow regulation will continue to spread around the world and to create conflicts with other requirements, which companies and other organizations will have to come to terms with as a permanent feature of the global privacy landscape.

Author

Tags

1 Comment

Chris,
As always you have the best insights on the challenges of global privacy. Seems like there is a collision course between globalization of digital commerce and the profileration of the adequacy model (which seems more like a step back into restrictionist trade rules of the 19th century). The result--a world of data privacy fortresses? APEC's CBPR work seems like a bright spot to this world of barriers.

Related Stories

Privacy Commissioner of Canada Daniel Therrien believes the question about whether privacy legislation should be amended is in the past. It is no longer should the country's privacy laws be amended, but what is the best way to do so, and with the announcement of the country's Digital Charter, the co...

If we were to think of the data protection world in a broader historical context, we could say we are entering a new age. The decades prior to the reform of the previous EU data protection framework were, let's say, pre-history. Basic rules governed the collection and use of personal information in ...

Artificial intelligence is rapidly transforming the global economy and society. From accelerating the development of pharmaceuticals to automating factories and farms, many countries are already seeing the benefits of AI.
Unfortunately, it is becoming increasingly clear that the European Union’s d...

The U.S. Congress is currently considering a number of competing bills aimed at implementing a federal privacy law. Although the details of each proposal vary, such a law would have a profound effect on how an individual’s personal data may be used, shared and protected. Still, the specifics of a ne...

As we approach the one-year anniversary of the EU General Data Protection Regulation's implementation date, organizations are still grappling with the detailed framework and all its corresponding guidance and documentation. Keeping track of it all is no small task. That's why the IAPP has compiled t...

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.